 Welcome back to the Cyber Underground. I'm Dave Stevens, your host and this is our mission here on this show to dig deep to find out how cybersecurity touches all of us in our everyday lives. Today, once again, I have my exceptional co-host, the Texar, Gordo. Welcome back. You don't need a nickname this time. We were doing Justin Case. Justin Case. They are Phil Ingeling. Justin Time. Justin Time. Right. Justin Time. How are you doing? How are you doing, man? It's good to have you back. And today, we have a guest star here from Capulani Community College, assistant professor of technology, Hal Cochran, talking about network configuration and management and some best practices and some basic housekeeping we should do for our home and business networks. Hal, where'd you come from? How'd you get here? Tell us a little bit about yourself. Well, I'm originally from Providence, Rhode Island. I've been here in Hawaii about 11 years. I was in tech support at the University of Rhode Island and wanted to come to Hawaii and was lucky enough to find a similar spot for myself within the University of Hawaii system. So I moved out here about 11 years ago, worked at Hawaii CC, sorry, Honolulu CC for a few years and then moved on to Capulani. CC, I spent the last year at Hawaii CC, so I've made the circuit. But you really made it around, too. And now I'm coming back to Capulani. We're glad to have you back. Coming back home. Coming back home. And while you were out there, you also did CyberPatriots. I was a mentor for the CyberPatriot team for a Kauai High School team. Can you tell our audience a little bit about CyberPatriots, because that's a really interesting topic there. Sure. Well, it's kind of like a capture of a flag type of cybersecurity competition event for high school students. So it captures the flag as opposed to like attack and defend where you have different teams attacking each other or defending against hackers. This is more where they have some virtual machine systems and the students go in and they basically just need to lock down the system. So they need to find the insecure configurations and correct them and harden the systems. Every practice for kids, especially nowadays, when we have to set up our own home and business, that works. Yeah. Exactly. Well, like a whole group attack the hill. Is it like King of the Hill? That's right. Is it kind of like King of the Hill? It's more like each one attacks their own system and then they compare all of them and see who did it better. Got it. Yeah. So the capture of the flag, they'd have to get a file and put their name in it or change the file in the name or something like that. Yeah. The capture of the flag would probably be more like where they have to find some kind of Easter egg somewhere. This is more where they're just doing configurations, locking down the systems. The VMs are pretty interesting. They actually, some of them are self-grading. So as they make a change, they can see that they get points. So it's like playing a video game. Oh, wow. So this is a... And it plays a little song. So this is a virtual machine, right? When they choose a point. So they hear this little tune. Yeah. Is it like a death march or something? No, no. It's like a happy little song. It's like a Super Mario little song, sounds like a Nintendo song. Okay. And if they do something wrong, they get kind of a sad song. Now, this is a virtual environment. So it's a sandbox. It's enclosed. It can't get out to any other systems. No, these are completely isolated systems. So the VM is a virtual machine and there's a number of these virtual machines in this sandbox. Yeah. They'll have a Windows virtual machine. They'll have a Linux virtual machine so that they get their hands on kind of different operating systems. So how many young adults are participating in these programs? That's a good question. I'm not sure I have a good answer for what the total is. More than 20, less than 40. Students? Yeah. Way more than 20. Yeah. There's teams all over the state. One in 20 teams, I would say, throughout the country. Oh, really? Oh, wow. That's good. It's possible to have more than 20 for a team and then that could be one on high school. It's a national event so that they're competing with teams all over the country. The team on quite was fairly small. It was only like four students. So these are all high school students that are really getting their hands dirty and dirty. And I do mean dirty in this world that's out there and competing with each other in a way. Now, this is great. This is good stuff, man. When students are in high school, they're exposed to a vast amount of technology these days. I mean, you've got smartphones, you've got a wireless network, you've got a laptop. Hey, you've got your wrist. I've got a smart watch, right? There's the Internet of Things. I've got my hearing aids here, I mean, I don't know. There's Alexa. You can talk to your TV now and there's all these wireless devices that are hooked up to your network and it's great for the kids to know what are the possibilities of compromise on networks. When you think of this network you have at home, it's this ubiquitous magical thing you hook up and you have Internet connectivity, but they need to know what the risks are. So that's what we're here to talk about, setting up, first of all, a home network and then a small business network. So let's talk about setting up our home network. And let's define a couple of the objects you usually get when you're setting up your home network. The first thing that you call one of your cable companies, they bring over that first device that translates the signal they're sending to you to what you need to hook up to your computers. Let's talk about that one first. So that's what they call the cable modem. It's usually a router and a server and a modem, all kind of built into one device. So it's actually a pretty multi-purpose device that we call a cable modem. But as you said, it converts the ISP, the cable company, converts their network to your home network. Your home network is usually an ethernet, the cable that we're used to seeing. But that's probably not what's coming into your house. So you need something to convert between those two dissimilar networks. So that's one of the things that the modem does. In addition, because it's connecting two different networks together, it's acting as a router. That's what routers do. They sit between two ethernetworks and they pass the data back and forth between the... Because most data is passed as packets from computer to pewter. And the router will take that packet and recognize, because of a routing table on it, where it has to pass that information, what computer needs that info. Right? There's an address in there. Right. So I've got my little network at home. That's what I already got going. And that's all going through the router. And then the router's there. And that gets me outside to the internet service provider. And all the routing that goes out there with the millions of billions of devices there. The routing tables are a little bigger. A little larger. A little bigger. Yeah, right? So we're actually, when we're building a home network, we're building a smaller representation of the internet in general. Yeah. Right? Yeah. The internet is made up of billions of small networks. So we're creating one... It becomes one of the parts of the internet. Oh my gosh. And that's the... And that's the... Oh my gosh. Moment. When you're part of the system, right? Yeah. Yeah. Well, it keeps us safe though. I mean, we have a cable modem. And does that mean the rest of the world can just look at any computer that's on my network? No. The cable modem will usually do something called network address translation. Which means that it will have... There's two different types of IP addresses. Now, there's an internet protocol address. That's four groups of three numbers. That's the number that you assign to your computer to allow it to talk to other computers. There's two types. IP version 4, IP version 6. IP version 4 is probably still the most common in the home networks. So it consists of four of what we call octets. Groups of eight bits represented as a decimal number between 0 and 255. So when we see something like CSI and they give an IP address and it starts with a 300, we know that's... No. 198.162.280. Okay. Something like that. So we translate between... You're saying the internet sees a public IP address and behind our modem we have private IP address. Exactly. So these two groups that are just basically designated to be... By the powers that control IP addressing, these numbers will be private, these will be public. Set aside. Yes. This is a never allowed to be seen on the public internet. The only good to be used on internal... Should never be allowed. Should never. Should never. Should never. Oh, the problem. I'm sure that's happened a few times. Any correctly configured router will block that from going out onto... So who am I counting on to correctly configure that router? It depends on this situation. You mean my service provider? Yes. Do you think they should know correctly configured routers? I would hope so. I would hope so, but I can't vouch for that. I know. That's always the dilemma. Never know. It's a dilemma, right? They come out with... What are they automatically configured? Some of them. Right? So you don't really know what they're doing. They don't know. What's the next device? So if I wanted to take control of, say, inside of that IP address, inside of my home network, I want to take control of the routing and the Wi-Fi network and the addressing and the security, I need another device behind the modem. So you would need, if you'd like to be able to connect multiple devices through that network connection and also maybe to have a Wi-Fi network inside your house, then you need to have a wireless access point with a router. So again, this is another kind of multipurpose device. It's doing routing because it's connecting, again, two different networks together. And it's providing wireless access, so it's a wireless access point. So you've got a router from the provider. You have a wireless access point that you may buy or even the provider might provide you with. It could. You could get some do. And so now you've got two of these devices that have to be configured properly on the network that allows you to get out to the World Wide Web. Well, the K-1 should be correctly configured by the ISP. We hold that. But you're responsible for configuring the internal router that gives you the Wi-Fi. But what if I get an internal router from a provider? Should they be responsible for doing that? That depends on what your service level agreement is, I suppose. So this is a tricky one, right? This is a tricky one, yes. If they give it to you and you use it exactly as it's configured, they will take responsibility for it. At the moment you say, oh, I want to change my Wi-Fi password because my neighbor has it now, they're going to say, well, then you're responsible for this. Or how about not broadcasting your ID? So that's isn't the best practices, right? Don't broadcast your SSID. So the SSID, for those of you out there, you need to know, when you're looking for a Wi-Fi signal from your laptop or your computer, you get a list, a drop-down list of all the available networks out there. Those names that you're seeing are called SSIDs and they're being broadcast. Service Set Identifier. Service Set Identifier. So those are actually a security hole. I mean, if you really want to set up your network securely, once you've configured all your devices and connected to your Wi-Fi, you shut that off. Well, just because you're not broadcasting your service set identifier does not guarantee people won't be able to find your network. Someone who knows what they're doing, who has the right equipment, can still find it. The kind of casual observer war-driving through your neighborhood looking for easy, low-hanging fruit, you know, just networks to be able to jump on, they're probably not going to find it. Well, it's to find war-driving. We're walking as well, as when people walk around a hacker, walks around or drives around a neighborhood, looks for these SSID symbols and the names. And usually there's a little graphic right next to the name that identifies whether it's locked or not. I used to jump when I was back in the bus. There it is, SSID, I was in the bus. So if you don't have that little locking symbol, you don't need a password. There's no encryption, no nothing, you just hop onto that network and go for broke. So what happens in neighborhood I was from when I was a kid and this first started becoming popular, the war-driving, the spray paint assemble outside your house or on a nearby curb so that other people driving by would see, oh, there's an available network that's not secured, I can use that one. So what they do now is on the internet they have these maps and you can look at these maps and you can see where all of the different open networks are. So they upload it into a database that's just represented on the internet as this map shows. It's pretty easy to find. Pick it up on the deep web, like we talked about. On the deep web, so I guess the danger there would be when certain people ask me and this question has come up, who cares if someone else is using my bandwidth, I don't use all of it anyway. If someone needs, why can't I just do a charitable thing and let them use my network? My answer is always, what if they do something nefarious? You're responsible, they're using your network connection. Your public-facing IP address is what the world sees. So all three of us are on the same Wi-Fi through the same cable modem. We all go out to the internet. The internet sees us all as that one public IP address. My S.S.I.D. is David Stevens. Oh, good for you. Right on. Oh, man. But true, their point is, is the fact that even though someone else has jumped on your network, it's you. It's you, not them. It's you. And if they're downloading illegal movies, the ISPs are going to shut you off. They're not going to be able to say, oh, wasn't me, it was somebody? It was your network. So we're going to shut you off. Because you're responsible. Thank you. We have a one minute break to please the powers that be the benevolent gods. So we'll be right back. You can be the elf. Yeah. Welcome back to the Cyber Underground for the second part of our show. Today we've got our exceptional co-host, the tech czar. Yeah, I look just like you. Not Andrew. Sorry. Sorry. Gordon. I think I need a refill. That's okay, Frank. So we've got our guest, Luis, from the get-go. Luis. Oh, nice. That's a wrap. We're talking about home networks and configuring them at best practices, war driving. And now let's get into the other things that you can connect to your home network and your Wi-Fi that are not your computer. We're talking about the internet of things, everything from my smart watch to my smartphone, to my not-so-smart TV, to my really dumb teddy bear. Then you want to tell us what are the things you learned at the PCAT symposium yesterday? Yeah. At the PCAT IT symposium, I... No, that's Pacific Center for Advanced Technology Training for the Hawaii Community Colleges out here in Hawaii. So they had a symposium with a lot of presentations. And one of them was by Jodi Itor, CIO. Jodi Itor, yeah, who's the Chief Security Officer for the U.S. system. And she introduced her talk with Internet of Things and some of the devices you would never think about that have been recently hacked. So one was the teddy bear. There was this talking teddy bear that children could talk to and it would respond. And it used this back-end database that it would access. It would upload to the internet, yeah. And of course, there was almost no security on this, so hackers were able to hack these teddy bears and then they could collect the voice. They could talk to the kids or whatever they wanted to do with these teddy bears. They could listen to what was going on. Right. They could listen to the recording and everything going on in the room. Absolutely. And that's a little spooky and creepy at the same time. That's a little off the grid now. So for Christmas last year, someone gave us something called a Pet Cube. Oh, I saw it. And my wife said, that is so neat. Now I can monitor my pets when I'm at work. And I said, that's kind of cool. Let's see how this works. So I hooked it up and it attached to my Wi-Fi network with no security. And it had a microphone and it had a camera. And for some reason, it had public IP. It had a public IP? I don't know. I haven't broken this thing down to see how it was configured like. But as soon as that happened, I went, oh no, we're out of here. We can't do this. Because I could log in from a website without a username and password and see the inside of my house. Yes, there were my pets. Probably tearing apart my couch or doing something. We're stealing the roll-aids, which has happened recently. But no, that's no security. I can't have that. But that's the kind of thing that's for sale, like the teddy bear. It was a username, password, and people could put one, two, three, four as a password. And then hackers could get in and see your kids. I mean, that's a big security risk. That's huge. And there's a lot of other things. I mean, we talked about the Samsung TV. The CIA can spy on you. But I don't imagine now that those tools are released, it's too hard for somebody other than the CIA to be breaking into TVs. I don't know the microphone. Let's go to the deep and the dark web and we see what we can find in that company. Well, you don't need to go deep, right? We still have a showdown. That's right. If you go to showdown, I'm not going to describe showdown to you. You guys can go out and look out for showdown. But you will find that all the default passwords for all the default devices out there are listed out there, and you can find them any time you want. Which is why when you put one of these home networks together, they have this easy setup that you can walk through one, two, three. But if you don't change the default admin password, sites like showdown are going to tell everybody else what your default password is. And they can remotely configure your device from outside your network, from the internet. So that's the first thing you got to do is change the default password. That's lesson number one. What else can you tell us about IoT? I mean, what other things can we worry about here? Well, Jody talked about some interesting things. One was smart light bulbs. So what about smart light bulbs? So what do they do, first of all? If we plug in a smart light bulb, do we ask questions like Alexa or? Oh, great Oracle. It's more like that's over, but it will let you know when it's about to quit in time to change the light bulb and things like that. It can warn you when it's getting to the end of its life, or when it needs to be changed. Problem is that these light bulbs, as they all talk to each other, it's like a peer-to-peer network where they all share information and talk to each other. So if one of these light bulbs is hacked and infected with a malware, it's going to spread it through all the light bulbs in your house. And then, I guess... It can case back to the manufacturer and take big records on all the stuff. Or you live. Or maybe someone could disable all the light bulbs to leave you in the dark one day if they wanted to. All right, all right. I'll explain it all. Yeah, I had a lot of hopes for these smart light bulbs. I thought maybe every time I put on, like, Barry White, I'd get the mood lighting. You know, you never know. When you put on an iron butterfly, they all go different colors on you. Let's see if I can do that. Let me download the Barry White app right now. I bet there's one out there. I bet there is. So the Barry White and the Barry White Mood app. Mood app. So now, if we use the Internet of Things and all these things connect to our home network, it's got a different name on a business network. Now if I set up a business network and I let everyone bring in their devices and connect to my network, what is that called now? Bring your own device? Oh yeah, bring your own device. So it takes a lot of security policy and implementation to get securely all those devices that aren't owned by the company onto your network safely. So it can be a real challenge because you don't know what type of malware, what type of devices people are bringing on and connecting to your network. And once they're connected to the network, they're able to see everybody else on the network. So if they have malware, it could spread easily from device to device. So that's why it's such a challenge to have bring your own device. Did the state ever try this when you were in Seattle? I was with the sitting and counting. I wasn't with the state. I was with the sitting and counting. We had massive BYOD deployments, but way before that was done, we sat down with specialist organizations in the business that made sure that we put all the right things in place. Because you think about ambulances, HIPAA compliance, police cars, fire trucks, lifeguards, all of those were using some kind of mobile device. And so all of that stuff had to be locked down, secured, tracked. No one, someone lost it, all those kinds of things. Did the sitting and counting give them the device or did they bring their own? We had some that brought their own, but the majority wanted to get something provided by the city. So the police don't bring their own. I mean, there's a lot of reason why that doesn't happen. I wouldn't want to either. I found my police officer. As an IT director. It's liability. I didn't mind bringing my own. And I didn't mind having someone go in and lock it down and do that. Because the comment was, well, if there's ever an investigation, they're going to take your phone. Yeah, but by law, they can only go after the data that's related to that investigation. They can't go after my stuff. So if they lock it down, they're doing your favor. And I did want to carry two phones. I did for five years. I think all of us did for a while. All of us were from the day where we had the pager and the mobile phone. And whatever calculated devices that built. I mean, I have a client that's rolled out 150 MacBook Airs. Mobile. Also, I had to make them all mobile and had to use right products to secure them, lock them all down. Because you have to manage them. I mean, it's just what it is. That's right. The Internet of Things. You don't have a lot of guys to manage that. You just get a couple of guys to manage that. No. I got no guys. Oh, OK. I mean, it's self-managing. That's the beauty of it. A lot of people think it goes on today. That's kind of wrong. I have a client to put in hospital beds all connected to the Internet. So think of that. The hospital beds now connected to the Internet. Well, heart rate monitors already are. The pacemakers. The pacemakers are. This is a tragedy that we have to hook all these devices up. We're getting convenience, but we're creating this huge threat landscape now. We've got to manage this. So what advice do you give to the homeowner? I mean, the homeowners are not techie, you know, not in the business. How do we get them, you know, they go to a store, they see it for sale at the big box warehouse, and they go home and install it all, but they never lock it down. And they press the one button configure, the WPS button. Yeah. And some can't be locked down. Some don't have any security built into them at all. And that's the first question you should ask as a buyer. Right. Oh, this is the right price. Maybe for a reason. Yeah. Yeah. That's 50 bucks. Great. I love it. Look at all that bandwidth. And you take it home and it's just wide open to the whole world. It is wide open. I hope your cameras are open to the whole world. So, but when you do a business network now, when you're talking about configuring the best practices, right, let's compare business to a home network. In the home network, you have some options. And one of them is setting the encryption level of the Wi-Fi signals that are going back and forth. There's several options there. The first one is WEP, W-E-P. Which really isn't an option at all. It's been broken for a decade. It's a non-option. Yeah. It was a weak protocol that on top of that has been completely broken. So, if you go to YouTube, you can find a hundred different videos saying how to crack web in five minutes or less. It's like a band-aid without the stickiness on it. Yeah. So, you do not want to use web. Okay. The next level is WPA, which is what, wireless protected access. Yeah. We have free techies here. We can't do it. Well, there's so many acronyms. WPA. So many acronyms. So many acronyms. And nobody ever uses the full. You always use the acronyms. Yeah. Yeah. Right. But what's out there now on most any router that you buy now will be WPA2. And that's better than the other three that is absolutely the best. Now, when you pick that, you might have a couple other options. You usually have options for the encryption protocol. Right. So, there's usually an option for TKIP and AES, which is advanced encryption protocol. Standard. Standard. Right. Yes. Right now is kind of the. By far. Beagle standard. Yeah. So, if given the option, choose AES. So, I guess our consumers should look for elliptical curve in the future. Right. How many consumers of this show do you think we'll know what an elliptical curve is? Well, if it shows up at the drop-down menu and it's at the bottom, then it's after AES probably. Oh, elliptical curve. Yeah. I don't know how to spell it out. It'll be some acronym. DLC. They don't come preconfigured like this. This is the part that irritates them. Right. So, it comes with the lowest level that you could possibly get, and then they expect John Q. Publix, who's just not in this business, to go in and know what WAP2 is, elliptical protocol, all this stuff, and they're all going. What the heck is all that? Yeah. What is that? Well, then there's given to me that one. There's firewall options too. Yeah. Right. You can whitelist your MAC address, and we don't have time to go into it. Is that a MAC? Is that only for MAC? No. We know that's not true either. So, there's all kinds of identifiers on all these different systems. Our phones have an IMEI number, which is unique. We have an IP address, which is unique. We have a MAC address, which is unique to every single device that's connected to the internet. All these unique addresses identify us at a certain place, at a certain time, and that's our identity. That's where we are. That's what we're doing. That's a little freaky. So, you want to do these security protocols as best you can so you can reduce that landscape that you're broadcasting to the entire world. Right. Any last minute tips for our consumer out there? As much as I hate to say it, probably the best option is call that friend who works in IT and take him, buy him a six pack of beer, come over and set this up for you. That's just a 15-year-old old buy him a pack of beer. No. It's a 15-year-old buy him a carton of milk. You can give him some credit on what, a Minecraft or something? There you go. Perfect. Right. Just don't let him play on your network. That's not it. We'll go again. Now, if we don't, as a last tip now, if we have a ton of devices on our Wi-Fi network and we've got these great protocols on the router, but one of those devices cannot use that protocol, do you have to downgrade all of your other systems? We kind of have to go to the lowest common denominator, which is unfortunate. You'd almost be better off to trade in that particular device for one that can support the most secure protocols. Better bring everybody up than bring everybody down. Absolutely. Great tips. Thanks for being on. Gordon, the tech star. I got it right. Thanks very much. Louise. Hal. Hal Corker from Capilani Community College. Welcome back. Thank you. Good to be home. Okay. Aloha, everybody. Stay safe.